Merge pull request #6227 from glitsj16/virt-manager

New profile: virt-manager
author: netblue30 <netblue30@protonmail.com> 2024-02-29 10:07:01 -0500
committer: GitHub <noreply@github.com> 2024-02-29 10:07:01 -0500
commit: 5d1a1e61b9c8d07212e5f4c6adbccf5f1ead3544 (patch)
tree: d5eed1c45e5a271a76a6084ae694885e60e0e177
parent: Merge pull request #6226 from glitsj16/gnome-boxes (diff)
parent: Create virt-manager.profile (diff)
download: firejail-5d1a1e61b9c8d07212e5f4c6adbccf5f1ead3544.tar.gz
firejail-5d1a1e61b9c8d07212e5f4c6adbccf5f1ead3544.tar.zst
firejail-5d1a1e61b9c8d07212e5f4c6adbccf5f1ead3544.zip
2 files changed, 73 insertions, 0 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index f3b44ac3e..aa83691eb 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -227,6 +227,7 @@ blacklist ${HOME}/.cache/torbrowser
 blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/ueberzugpp
 blacklist ${HOME}/.cache/ungoogled-chromium
+blacklist ${HOME}/.cache/virt-manager
 blacklist ${HOME}/.cache/vivaldi
 blacklist ${HOME}/.cache/vivaldi-snapshot
 blacklist ${HOME}/.cache/vlc
diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile
new file mode 100644
index 000000000..86fe63ef9
--- /dev/null
+++ b/etc/profile-m-z/virt-manager.profile
@@ -0,0 +1,72 @@
+# Firejail profile for virt-manager
+# Description: Manage virtual machines
+# This file is overwritten after every install/update
+# Persistent local customizations
+include virt-manager.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/virt-manager
+noblacklist ${RUNUSER}/libvirt
+noblacklist /sbin
+noblacklist /usr/sbin
+# Allow python 3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# breaks app
+#include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/virt-manager
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/virt-manager
+whitelist ${RUNUSER}/libvirt
+whitelist /run/libvirt
+whitelist /usr/share/libvirt
+whitelist /usr/share/osinfo
+whitelist /usr/share/qemu
+whitelist /usr/share/seabios
+whitelist /usr/share/virt-manager
+# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
+whitelist /var/lib/usbutils/usb.ids
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+# breaks app
+#apparmor
+# For host-only network sys_admin is needed.
+# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+caps.keep net_raw,sys_nice
+#caps.keep net_raw,sys_admin
+netfilter
+nodvd
+notv
+tracelog
+private-cache
+private-etc @network,@sound,@tls-ca,@x11
+private-tmp
+writable-var
+dbus-user filter
+dbus-user.own org.virt-manager.virt-manager
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+# breaks app
+#deterministic-shutdown
+# breaks app
+#restrict-namespaces
author	netblue30 <netblue30@protonmail.com>	2024-02-29 10:07:01 -0500
committer	GitHub <noreply@github.com>	2024-02-29 10:07:01 -0500
commit	5d1a1e61b9c8d07212e5f4c6adbccf5f1ead3544 (patch)
tree	d5eed1c45e5a271a76a6084ae694885e60e0e177
parent	Merge pull request #6226 from glitsj16/gnome-boxes (diff)
parent	Create virt-manager.profile (diff)
download	firejail-5d1a1e61b9c8d07212e5f4c6adbccf5f1ead3544.tar.gz firejail-5d1a1e61b9c8d07212e5f4c6adbccf5f1ead3544.tar.zst firejail-5d1a1e61b9c8d07212e5f4c6adbccf5f1ead3544.zip

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index f3b44ac3e..aa83691eb 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -227,6 +227,7 @@ blacklist ${HOME}/.cache/torbrowser
227	blacklist ${HOME}/.cache/transmission	227	blacklist ${HOME}/.cache/transmission
228	blacklist ${HOME}/.cache/ueberzugpp	228	blacklist ${HOME}/.cache/ueberzugpp
229	blacklist ${HOME}/.cache/ungoogled-chromium	229	blacklist ${HOME}/.cache/ungoogled-chromium
		230	blacklist ${HOME}/.cache/virt-manager
230	blacklist ${HOME}/.cache/vivaldi	231	blacklist ${HOME}/.cache/vivaldi
231	blacklist ${HOME}/.cache/vivaldi-snapshot	232	blacklist ${HOME}/.cache/vivaldi-snapshot
232	blacklist ${HOME}/.cache/vlc	233	blacklist ${HOME}/.cache/vlc


diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile new file mode 100644 index 000000000..86fe63ef9 --- /dev/null +++ b/etc/profile-m-z/virt-manager.profile
@@ -0,0 +1,72 @@
		1	# Firejail profile for virt-manager
		2	# Description: Manage virtual machines
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include virt-manager.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.cache/virt-manager
		10	noblacklist ${RUNUSER}/libvirt
		11
		12	noblacklist /sbin
		13	noblacklist /usr/sbin
		14
		15	# Allow python 3 (blacklisted by disable-interpreters.inc)
		16	include allow-python3.inc
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-exec.inc
		21	include disable-interpreters.inc
		22	# breaks app
		23	#include disable-proc.inc
		24	include disable-programs.inc
		25	include disable-xdg.inc
		26
		27	mkdir ${HOME}/.cache/virt-manager
		28	whitelist ${DOWNLOADS}
		29	whitelist ${HOME}/.cache/virt-manager
		30	whitelist ${RUNUSER}/libvirt
		31	whitelist /run/libvirt
		32
		33	whitelist /usr/share/libvirt
		34	whitelist /usr/share/osinfo
		35	whitelist /usr/share/qemu
		36	whitelist /usr/share/seabios
		37	whitelist /usr/share/virt-manager
		38	# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
		39	whitelist /var/lib/usbutils/usb.ids
		40	include whitelist-common.inc
		41	include whitelist-run-common.inc
		42	include whitelist-runuser-common.inc
		43	include whitelist-usr-share-common.inc
		44	include whitelist-var-common.inc
		45
		46	# breaks app
		47	#apparmor
		48	# For host-only network sys_admin is needed.
		49	# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
		50	caps.keep net_raw,sys_nice
		51	#caps.keep net_raw,sys_admin
		52	netfilter
		53	nodvd
		54	notv
		55	tracelog
		56
		57	private-cache
		58	private-etc @network,@sound,@tls-ca,@x11
		59	private-tmp
		60	writable-var
		61
		62	dbus-user filter
		63	dbus-user.own org.virt-manager.virt-manager
		64	dbus-user.talk ca.desrt.dconf
		65	dbus-user.talk org.freedesktop.Notifications
		66	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
		67	dbus-system none
		68
		69	# breaks app
		70	#deterministic-shutdown
		71	# breaks app
		72	#restrict-namespaces